pdb1 - Oracle Database Security Risk Assessment · Oracle Database Security Risk Assessment Highly...

Oracle Database Security Risk AssessmentOracle Database Security Risk AssessmentOracle Database Security Risk AssessmentOracle Database Security Risk Assessment

Highly ConfidentialHighly ConfidentialHighly ConfidentialHighly Confidential

Assessment Date & TimeAssessment Date & TimeAssessment Date & TimeAssessment Date & Time

1.0.2 (October 2016) - 7409

Database IdentityDatabase IdentityDatabase IdentityDatabase Identity

RoleRoleRoleRoleLog ModeLog ModeLog ModeLog Mode

DatabaseDatabaseDatabaseDatabase IDIDIDID NameNameNameName

ORCLMicrosoft Windows

x86 64-bitPRIMARY NOARCHIVELOG

Fri Jan 06 2017True 3 PDB1

SummarySummarySummarySummary

Basic Information 0 1 0 0 0 0

User Accounts 4 0 0 3 2 1

Privileges and Roles 5 12 0 1 0 0

Authorization Control 0 0 2 0 0 0

Data Encryption 0 0 1 0 0 0

Fine-Grained Access Control 0 1 4 0 0 0

Auditing 4 5 1 0 2 0

Database Configuration 4 4 0 2 1 0

Network Configuration 0 0 0 0 0 0

Operating System 0 0 0 0 0 0

TotalTotalTotalTotal 23232323 8888 6666

Basic InformationBasic InformationBasic InformationBasic Information

Database VersionDatabase VersionDatabase VersionDatabase Version

Security options used: (none)

Security FeaturesSecurity FeaturesSecurity FeaturesSecurity Features

pdb1 - Oracle Database Security Risk Assessment file:///C:/opt/dbsat/pdb1.html

1 of 32 10/25/2017 10:28 AM

FeatureFeatureFeatureFeature Currently UsedCurrently UsedCurrently UsedCurrently Used

AUTHORIZATION CONTROL

Database Vault No

Privilege Analysis No

DATA ENCRYPTION

Column Encryption No

Tablespace Encryption No

Network Encryption No

FINE-GRAINED ACCESS CONTROL

Data Redaction No

Virtual Private Database Yes

Real Application Security No

Label Security No

Transparent Sensitive Data Protection No

AUDITING

Traditional Audit Yes

Fine Grained Audit No

Unified Audit Yes

USER AUTHENTICATION

External Authentication No

Patch CheckPatch CheckPatch CheckPatch Check

StatusStatusStatusStatus Evaluate

SummarySummarySummarySummary OPatch information not available.

DetailsDetailsDetailsDetailsPatch Inventory:

Not available

Patch History:

Action time: Mon Jan 09 2017 16:33:00

Action: APPLY

Version: 12.1.0.2

Bundle series: PSU

Description: WINDOWS DB BUNDLE PATCH 12.1.0.2.161118(64bit):24922906

RemarksRemarksRemarksRemarks It is vital to keep the database software up-to-date with security fixes as they are released. Oracle

issues Patch Set Updates (PSU) on a regular quarterly schedule. These updates should be applied as

soon as they are available. For releases prior to Oracle Database 12c, quarterly updates may be

delivered by patches not marked as PSUs.

User AccountsUser AccountsUser AccountsUser Accounts


2 of 32 10/25/2017 10:28 AM

Note: Predefined Oracle accounts which are locked are not included in this report. To include all user accounts,

run the report with the -a option.

User AccountsUser AccountsUser AccountsUser Accounts

ADIEHL OPEN DEFAULT USERS No PASSWORD

EXPIRED & LOCKED DEFAULT EXAMPLE No PASSWORD

C##ADIEHL OPEN DEFAULT USERS No PASSWORD

OPEN DEFAULT EXAMPLE Yes PASSWORD

PDBADMIN OPEN DEFAULT USERS No PASSWORD

SOE OPEN DEFAULT SOE No PASSWORD

SYS OPEN DEFAULT SYSTEM Yes PASSWORD

User Accounts in SYSTEM or SYSAUX TablespaceUser Accounts in SYSTEM or SYSAUX TablespaceUser Accounts in SYSTEM or SYSAUX TablespaceUser Accounts in SYSTEM or SYSAUX Tablespace

StatusStatusStatusStatus Pass

SummarySummarySummarySummary No user uses SYSTEM or SYSAUX tablespace.

RemarksRemarksRemarksRemarks The SYSTEM and SYSAUX tablespaces are reserved for Oracle-supplied user accounts. To avoid a

possible denial of service caused by exhausting these resources, regular user accounts should not use

these tablespaces. Prior to Oracle Database 12.2, the SYSTEM tablespace cannot be encrypted, and this

is another reason to avoid user schemas in this tablespace.

Sample SchemasSample SchemasSample SchemasSample Schemas

StatusStatusStatusStatus Significant Risk

SummarySummarySummarySummary Found 6 sample schemas.

DetailsDetailsDetailsDetailsSample schemas: HR, IX, OE, PM, SCOTT, SH

RemarksRemarksRemarksRemarks Sample schemas are well-known accounts provided by Oracle to serve as simple examples for

developers. They generally serve no purpose in a production database and should be removed

because they unnecessarily increase the attack surface of the database.

Inactive UsersInactive UsersInactive UsersInactive Users

StatusStatusStatusStatus Some Risk

SummarySummarySummarySummary Found 5 unlocked users inactive for more than 30 days.

DetailsDetailsDetailsDetailsInactive users: C##ADIEHL, HR, PDBADMIN, SOE, SYS


3 of 32 10/25/2017 10:28 AM

RemarksRemarksRemarksRemarks If a user account is no longer in use, it increases the attack surface of the system unnecessarily while

providing no corresponding benefit. Furthermore, unauthorized use is less likely to be noticed when

no one is regularly using the account. Accounts that have been unused for more than 30 days should

Case-Sensitive PasswordsCase-Sensitive PasswordsCase-Sensitive PasswordsCase-Sensitive Passwords


SummarySummarySummarySummary Case-sensitive passwords are used.

DetailsDetailsDetailsDetailsInitialization parameter SEC_CASE_SENSITIVE_LOGON is set to TRUE.

RemarksRemarksRemarksRemarks Case-sensitive passwords are recommended because including both upper and lower-case letters

greatly increases the set of possible passwords that must be searched by an attacker who is

attempting to guess a password by exhaustive search. Setting SEC_CASE_SENSITIVE_LOGON to TRUE

ensures that the database distinguishes between upper and lower-case letters in passwords.

Users with Expired PasswordsUsers with Expired PasswordsUsers with Expired PasswordsUsers with Expired Passwords


SummarySummarySummarySummary Found 4 unlocked users with password expired for more than 30 days.

DetailsDetailsDetailsDetailsUsers with expired passwords: C##ADIEHL, PDBADMIN, SOE, SYSTEM

RemarksRemarksRemarksRemarks Password expiration is used to ensure that users change their passwords on a regular basis. If a user's

password has been expired for more than 30 days, it indicates that the user has not logged in for at

least that long. Accounts that have been unused for an extended period of time should be investigated

to determine whether they should remain active.

Users with Default PasswordsUsers with Default PasswordsUsers with Default PasswordsUsers with Default Passwords

StatusStatusStatusStatus Severe Risk

SummarySummarySummarySummary Found 3 unlocked user accounts with default password.

DetailsDetailsDetailsDetailsUsers with default password: HR, SYS, SYSTEM

RemarksRemarksRemarksRemarks Default account passwords for predefined Oracle accounts are well known. Open accounts with default

passwords provide a trivial means of entry for attackers, but well-known passwords should be

changed for locked accounts as well.

Password VerifiersPassword VerifiersPassword VerifiersPassword Verifiers



4 of 32 10/25/2017 10:28 AM

SummarySummarySummarySummary All user accounts support the latest password version. Found 8 accounts with HTTP password verifiers.

DetailsDetailsDetailsDetailsDatabase supports password versions up to 12C.

Users requiring updated password verifiers: (none)

Users with HTTP verifiers: ADIEHL, BI, C##ADIEHL, HR, PDBADMIN, SOE, SYS,

SYSTEM

RemarksRemarksRemarksRemarks For each user account, the database may store multiple verifiers, which are hashes of the user

password. Each verifier supports a different version of the password authentication algorithm. Every

user account should include a verifier for the latest password version supported by the database so

that the user can be authenticated using the latest algorithm supported by the client. When all clients

have been updated, the security of user accounts can be improved by removing the obsolete verifiers.

HTTP password verifiers are used for XML Database authentication. Use the ALTER USER command to

User ProfilesUser ProfilesUser ProfilesUser Profiles

DEFAULT (Number of Users) 8

DEFAULT CONNECT_TIME UNLIMITED

DEFAULT FAILED_LOGIN_ATTEMPTS 10

DEFAULT IDLE_TIME UNLIMITED

DEFAULT PASSWORD_GRACE_TIME 7

DEFAULT PASSWORD_LIFE_TIME 180

DEFAULT PASSWORD_LOCK_TIME 1

DEFAULT PASSWORD_REUSE_MAX UNLIMITED

DEFAULT PASSWORD_REUSE_TIME UNLIMITED

DEFAULT PASSWORD_VERIFY_FUNCTION NULL

ORA_STIG_PROFILE (Number of Users) 0

ORA_STIG_PROFILE CONNECT_TIME UNLIMITED (DEFAULT)

ORA_STIG_PROFILE FAILED_LOGIN_ATTEMPTS 3

ORA_STIG_PROFILE IDLE_TIME 15

ORA_STIG_PROFILE PASSWORD_GRACE_TIME 5

ORA_STIG_PROFILE PASSWORD_LIFE_TIME 60

ORA_STIG_PROFILE PASSWORD_LOCK_TIME UNLIMITED

ORA_STIG_PROFILE PASSWORD_REUSE_MAX 10

ORA_STIG_PROFILE PASSWORD_REUSE_TIME 365

Users with Unlimited Password LifetimeUsers with Unlimited Password LifetimeUsers with Unlimited Password LifetimeUsers with Unlimited Password Lifetime



5 of 32 10/25/2017 10:28 AM

SummarySummarySummarySummary Password expiration is configured for all users.

RemarksRemarksRemarksRemarks Password expiration is used to ensure that users change their passwords on a regular basis.

Passwords that never expire may remain unchanged for an extended period of time. When passwords

do not have to be changed regularly, users are also more likely to use the same passwords for

Users with Unlimited Failed Login AttemptsUsers with Unlimited Failed Login AttemptsUsers with Unlimited Failed Login AttemptsUsers with Unlimited Failed Login Attempts


SummarySummarySummarySummary No users have unlimited failed login attempts.

RemarksRemarksRemarksRemarks Attackers sometimes attempt to guess a user's password by simply trying all possibilities from a set of

common passwords. To defend against this attack, it is advisable to lock a user account when there

are multiple failed login attempts without a successful login.

Password Verification FunctionsPassword Verification FunctionsPassword Verification FunctionsPassword Verification Functions

StatusStatusStatusStatus Significant Risk

SummarySummarySummarySummary Found 8 users not using password verification function.

DetailsDetailsDetailsDetailsProfiles with password verification function: ORA_STIG_PROFILE

Profiles without password verification function: DEFAULT

Users using profiles without password verification function: ADIEHL, BI,

C##ADIEHL, HR, PDBADMIN, SOE, SYS, SYSTEM

RemarksRemarksRemarksRemarks Password verification functions are used to ensure that user passwords meet minimum requirements

for complexity, which may include factors such as length, use of numbers or punctuation characters,

difference from previous passwords, etc. Oracle supplies several predefined functions, or a custom

PL/SQL function can be used. Every user profile should include a password verification function.

Privileges and RolesPrivileges and RolesPrivileges and RolesPrivileges and Roles

All System PrivilegesAll System PrivilegesAll System PrivilegesAll System Privileges

StatusStatusStatusStatus Evaluate

SummarySummarySummarySummary 494 grants of system privileges

DetailsDetailsDetailsDetailsUsers directly or indirectly granted each system privilege:

ADMINISTER ANY SQL TUNING SET: ADIEHL, SYSTEM

ADMINISTER DATABASE TRIGGER: ADIEHL, SYSTEM

ADMINISTER KEY MANAGEMENT: (none)

ADMINISTER RESOURCE MANAGER: ADIEHL, SOE, SYSTEM

ADMINISTER SQL MANAGEMENT OBJECT: ADIEHL, SYSTEM

ADMINISTER SQL TUNING SET: ADIEHL, SYSTEM

ADVISOR: ADIEHL, SYSTEM

ALTER ANY ASSEMBLY: ADIEHL, SYSTEM

ALTER ANY CLUSTER: ADIEHL, SYSTEM

ALTER ANY CUBE: ADIEHL, SYSTEM


6 of 32 10/25/2017 10:28 AM

pdb1 - Oracle Database Security Risk Assessment · Oracle Database Security Risk Assessment Highly...

Documents

Transcript of pdb1 - Oracle Database Security Risk Assessment · Oracle Database Security Risk Assessment Highly...